At Cisco's behest, the FBI is now investigating the source code theft as more …

Share this story

The FBI is now looking into the recent pilfering of Cisco's IOS 12.3 OS source code at Cisco's request. According to sources, the saga began when the culprit compromised a Sun server on Cisco's network. After locating and copying the source code, "Franz" (as the hacker was nicknamed) then posted a link on IRC to a 3MB archived version of the code. That snippet was on a Dutch FTP server belonging to the University of Utrecht, a server open to the public for the hosting of small files. New samples of the code have also surfaced:

Examples of the additional source code files viewed by IDG News Service differ from the two code files posted on www.securitylab.ru, and appear to be written in the C programming language. One, named snmp_chain.c dates to 1993 and is credited to Robert Widmer. Another, named http_auth.c and containing a module for HTTP authentication routines is dated March 2002 and credited to Saravanan Agasaveeran... A Cisco source confirms Agasaveeran is a Cisco employee in San Jose, California. No information was immediately available on Widmer.

The FBI and Cisco have a large investigative task ahead of them. If it was indeed a Sun server from which the code was stolen, that would indicate that the theft came right off of Cisco's corporate network as opposed to copies stored on a laptop or someone accessing the network via VPN.

The larger question is that of the security implications of the breach. As we said on Saturday night when we first reported the story, Cisco relies on "security through obscurity," meaning that the opacity of the source code is the key line of defense for Cisco. Now that at least some of the source code is circulating, it could provide malware writers with insight into possible vulnerabilities in the software running on a large number of the routers handling Internet traffic.

Of course, in order to use the code, potential hackers would have to compile it, which would require the proper hardware. While the source code circulates, it is certain that Cisco will be auditing their own code for the same vulnerabilities others will be looking for, and issue patches when necessary. However, offering patches and having them applied to every bit of affected hardware on the Internet are two very different things. So we may see an occasional "hiccup" in traffic due to this, but the likelihood of the code theft bringing the Internet to its knees is remote at best.